Changes from PHP:
- If a user submits a POST request with an invalid reason,
they are returned back to the closure form with a BAD_REQUEST status.
- Now, users which created a PackageRequest have the ability to close
their own.
- Form action has been changed to `/requests/{id}/close`.
Closes https://gitlab.archlinux.org/archlinux/aurweb/-/issues/20
Signed-off-by: Kevin Morris <kevr@0cost.org>
This change implements the FastAPI version of the
/pkgbase/{name}/request form's action.
Changes from PHP:
- Additional errors are now displayed for the **merge_into** field,
which are only displayed when the Merge type is selected.
- If the **merge_into** field is empty, a new error is displayed:
'The "Merge into" field must not be empty.'
- If the **merge_into** field is given the name of a package base
which does not exist, a new error is displayed:
"The package base you want to merge into does not exist."
- If the **merge_into** field is given the name of the package
base that a request is being created for, a new error is
displayed: "You cannot merge a package base into itself."
- When an error is encountered, users are now brought back to
the request form which they submitted and an error is displayed
at the top of the page.
- If an invalid type is provided, users are returned to a BAD_REQUEST
status rendering of the request form.
Signed-off-by: Kevin Morris <kevr@0cost.org>
Introduces `aurweb.defaults` and `aurweb.filters`.
`aurweb.filters` is a location developers can put their additional
Jinja2 filters and/or functions. We should slowly move all of our
filters over here, where it makes sense.
`aurweb.defaults` is a new module which hosts some default constants
and utility functions, starting with offsets (O) and per page values
(PP).
As far as the new GET /requests is concerned, we match up here to
PHP's implementation, with some minor improvements:
Improvements:
* PP on this page is now configurable: 50 (default), 100, or 250.
* Example: `https://localhost:8444/requests?PP=250`
Modifications:
* The pagination is a bit different, but serves the exact same purpose.
* "Last" no longer goes to an empty page.
* Closes: https://gitlab.archlinux.org/archlinux/aurweb/-/issues/14
Signed-off-by: Kevin Morris <kevr@0cost.org>
Along with this, created a new test suite at test/test_html.py,
which has the responsibility of testing various HTML things
that are not suitable for another test suite.
Signed-off-by: Kevin Morris <kevr@0cost.org>
Changes from PHP:
- Form action now points to `/pkgbase/{name}/comaintainers`.
- When an error occurs, users are sent back to
`/pkgbase/{name}/comaintainers` with an error at the top of the page.
(PHP used to send people to /pkgbase/, which ended up at a blank
search page).
Closes: https://gitlab.archlinux.org/archlinux/aurweb/-/issues/51
Signed-off-by: Kevin Morris <kevr@0cost.org>
In addition, fix up some templates to display pinned comments,
and include the unpin form input for pinned comments, which is
not yet implemented.
Signed-off-by: Kevin Morris <kevr@0cost.org>
Deleters and edits were not previously taken into account.
This fix addresses that issue using User.has_credential.
Signed-off-by: Kevin Morris <kevr@0cost.org>
In PHP, this was implemented using an /rpc type 'get-comment-form'.
With FastAPI, we've decided to reorganize this into a non-RPC route:
`/pkgbase/{name}/comments/{id}/form`, rendered via the new
`templates/partials/packages/comment_form.html` template.
When the comment_form.html template is provided a `comment` object,
it will produce an edit comment form. Otherwise, it will produce a new
comment form.
A few new FastAPI routes have been introduced:
- GET `/pkgbase/{name}/comments/{id}/form`
- Produces a JSON response based on {"form": "<form_markup>"}.
- POST `/pkgbase/{name}/comments'
- Creates a new comment.
- POST `/pkgbase/{name}/comments/{id}`
- Edits an existing comment.
In addition, some Javascript has been modified for our new routes.
Signed-off-by: Kevin Morris <kevr@0cost.org>
`get_pkgbase` has been replaced with `get_pkg_or_base`, which is
quite similar, but it does take a new `cls` keyword argument which
is to be the model class which we search for via its `Name` column.
Additionally, this change fixes a bug in the `/packages/{name}` route
by supplying the Package object in question to the context and modifying
the template to use it instead of a hacky through-base workaround.
Examples:
pkgbase = get_pkg_or_base("some_pkgbase_name", PackageBase)
pkg = get_pkg_or_base("some_package_name", Package)
Signed-off-by: Kevin Morris <kevr@0cost.org>
In terms of performance, most queries on this page win over
PHP in query times, with the exception of sorting by Voted or
Notify (https://gitlab.archlinux.org/archlinux/aurweb/-/issues/102).
Otherwise, there are a few modifications: described below.
* Pagination
* The `paginate` Python module has been used in the FastAPI
project
here to implement paging on the packages search page. This
changes how pagination is displayed, however it serves the
same purpose. We'll take advantage of this module in other
places as well.
* Form action
* The form action for actions now use `POST /packages` to
perform. This is currently implemented and will be
addressed in a follow-up commit.
* Input names and values
* Input names and values have been modified to satisfy the
snake_case naming convention we'd like to use as much as
possible.
* Some input names and values were modified to comply with
FastAPI Forms: (IDs[<id>]) -> (IDs, <id>).
Signed-off-by: Kevin Morris <kevr@0cost.org>
Previously, we were running a single ORM query for every single package
to check for its voted or notified states. Now, we perform a single
ORM query for each of the set of voted or notified packages in
relation with the request user.
This improves performance drastically at the expense of some
manual code additions and set-dependency; i.e. we add a bit
more complexity and roundabout way of getting our data.
Closes: https://gitlab.archlinux.org/archlinux/aurweb/-/issues/102
Signed-off-by: Kevin Morris <kevr@0cost.org>
The "Account Type" selection was not properly being rendered
due to an incorrect equality. This has been fixed in
templates/partials/account_form.html.
Signed-off-by: Kevin Morris <kevr@0cost.org>
The new `extend_query` and `urlencode` filters are way cleaner ways
to achieve what we did with `dedupe_qs`.
Signed-off-by: Kevin Morris <kevr@0cost.org>
urlencode does more than just a quote_plus. Using urlencode
was not sensible, so this commit addresses that.
Signed-off-by: Kevin Morris <kevr@0cost.org>
This puts one more toward completion of the homepage
overall; we'll need to still implement the authenticated
user dashboard after this.
Signed-off-by: Kevin Morris <kevr@0cost.org>
These were being displayed regardless of the dep type
and state of DepDesc. This is fixed with this commit.
Signed-off-by: Kevin Morris <kevr@0cost.org>
A few things added with this commit:
- aurweb.packages.util
- A module providing package and pkgbase helpers.
- aurweb.template.register_filter
- A decorator that can be used to register a filter:
@register_filter("some_filter") def f(): pass
Additionally, template partials have been split off a bit
differently. Changes:
- /packages/{name} is defined in packages/show.html.
- partials/packages/package_actions.html is now
partials/packages/actions.html.
- partials/packages/details.html has been added.
- partials/packages/comments.html has been added.
- partials/packages/comment.html has been added.
- models.dependency_type additions: name and id constants.
- models.relation_type additions: name and id constants.
- models.official_provider additions: base official url constant.
Signed-off-by: Kevin Morris <kevr@0cost.org>
Slight markup changes, same style overall and same
form parameters as the PHP implementation.
In addition, we've disabled the "left" and "right"
navigation buttons when we're at the border of the
table.
CSS Changes:
- Added similar styling to submit `<buttons>` that submit `<input>` had.
- Added .results tr td[align="{left,right}"] styling to align
the result table's `More -->` button to the right of the table.
Signed-off-by: Kevin Morris <kevr@0cost.org>
Another part of the "Trusted User" collection of routes.
This allows a Trusted User to create a proposal.
New Routes:
- get `/addvote/`
- post `/addvote/`
Signed-off-by: Kevin Morris <kevr@0cost.org>
This commit ports the `/tu/?id={proposal_id}` PHP routes to
FastAPI into two individual GET and POST routes.
With this port of the single proposal view and POST logic,
several things have changed.
- The only parameter used is now `decision`, which
must contain `Yes`, `No`, or `Abstain` as a string.
When an invalid value is given, a BAD_REQUEST response
is returned in plaintext: Invalid 'decision' value.
- The `doVote` parameter has been removed.
- The details section has been rearranged into a set
of divs with specific classes that can be used for
testing. CSS has been added to persist the layout with
the element changes.
- Several errors that can be discovered in the POST path
now trigger their own non-200 HTTPStatus codes.
Signed-off-by: Kevin Morris <kevr@0cost.org>
This commit implements the '/tu' Trusted User index page.
In addition to this functionality, this commit introduces
the following jinja2 filters:
- dt: util.timestamp_to_datetime
- as_timezone: util.as_timezone
- dedupe_qs: util.dedupe_qs
- urlencode: urllib.parse.quote_plus
There's also a new decorator that can be used to enforce
permissions: `account_type_required`. If a user does not
meet account type requirements, they are redirected to '/'.
```
@auth_required(True)
@account_type_required({"Trusted User"})
async def some_route(request: fastapi.Request):
return Response("You are a Trusted User!")
```
Routes added:
- `GET /tu`: aurweb.routers.trusted_user.trusted_user
Signed-off-by: Kevin Morris <kevr@0cost.org>
This clones the end goal behavior of PHP, but it does not
concern itself with the revision form array at all.
Since this page on PHP renders out the entire list of
terms that a user needs to accept, we can treat a
POST request with the "accept" checkbox enabled as a
request to accept all unaccepted (or outdated revision)
terms.
This commit also adds in a new http middleware used to
redirect authenticated users to '/tos' if they have not
yet accepted all terms.
Signed-off-by: Kevin Morris <kevr@0cost.org>
This commit introduces a middleware function which adds
the following security headers to each response:
- Content-Security-Policy
- This includes a new `nonce`, which is tied to a user
via authentication middleware. Both an anonymous user
and an authenticated user recieve their own random nonces.
- X-Content-Type-Options
- Referrer-Policy
- X-Frame-Options
They are then tested for existence in test/test_routes.py.
Note: The overcomplicated-looking asyncio behavior in the
middleware function is used to avoid a warning about the old
coroutine awaits being deprecated. See
https://docs.python.org/3/library/asyncio-task.html#asyncio.wait
for more detail.
Signed-off-by: Kevin Morris <kevr@0cost.org>
* Added account_url filter to jinja2 environment. This produces a path
to the user's account url (/account/{username}).
* Updated archdev-navbar to link to new edit route.
+ Added migrate_cookies(request, response) to aurweb.util, a function
that simply migrates the request cookies to response and returns it.
+ Added account_edit tests to test_accounts_routes.py.
Signed-off-by: Kevin Morris <kevr@0cost.org>
* Added /register get and post routes.
+ Added default attributes to AnonymousUser, including a new
AnonymousList which behaves like an sqlalchemy relationship
list.
+ aurweb.util: Added validation functions for various user fields
used throughout registration.
+ test_accounts_routes: Added get|post register route tests.
Signed-off-by: Kevin Morris <kevr@0cost.org>
